wolfssl: preserve early-data handling across WANT_WRITE retries

[rizlik]

Server-side accept (TLS 1.3/DTLS 1.3) could lose the early-data shortcut whenever sending the Finished flight first hit WANT_WRITE. The buffered data advanced acceptState past TLS13_ACCEPT_FINISHED_SENT as soon as it flushed, so the next wolfSSL_accept() call skipped the block that marks SERVER_FINISHED_COMPLETE and lets the application drain 0-RTT data. By keeping the FALL_THROUGH into TLS13_ACCEPT_FINISHED_SENT and only returning early while that handshake flag is still unset, we revisit the shortcut immediately after the buffered flight is delivered, preserving the intentional behaviour even under non-blocking I/O.

On the client, the same pattern showed up after SendTls13ClientHello() buffered due to WANT_WRITE: after flushing, the connect state is already CLIENT_HELLO_SENT so the early-data exit is no longer executed. We now fall through into the CLIENT_HELLO_SENT case and only short-circuit once per handshake, ensuring the reply-processing loop still executes on the retry.

Testing still missing

[rizlik]

retest this please

[rizlik]

retest this please

[rizlik]

retest this please

[rizlik]

retest this please

RequestAbortedException

[devin-ai-integration[bot]]

🛟 Devin Lifeguard found 2 likely issues in this PR

• no-void-functions snippet: Change wolfSSL_maybeCheckAlertOnErr to return an int (e.g. 0 on success or a negative error code) and update all call sites to check and propagate this return value instead of ignoring potential failures.
• check-all-return-codes snippet: Capture the return value from ProcessReplyEx(), check it for an error (e.g., int rc = ProcessReplyEx(ssl, 1); if (rc != 0) ssl->error = rc;), or explicitly document with a cast to void if the result is intentionally ignored.

@rizlik please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

[rizlik]

retest this please

[rizlik]

retest this please:

AgentOfflineException exception: